Peter A Clarke

The Guardian has kept up a fairly consistent interest in privacy issues.  Little wonder given it was involved in releasing much of the material leaked by Snowden, he who went from a low/mid level employee of the NSA to the biggest whisleblower of the current century.  The Guardian in Drones investigation: keeping up with the droneses, part one – video has produced a 4 minute or so video on drones.  Topical and quite informative.  It doesn’t add anything to the coverage to date but it is a very interesting synopsis.  In particular the privacy implications.

The internet interface with an organisations data, within an organisation or in the cloud, is always a potential target for hackers.  For those whose business is largely or exclusively on line and who hold significant amounts of personal information of customers the impact of a data breach in the form of a hacking attack the consequences can be immense. Reputationally and financially.  Ebay suffered damage to at least the former and probably the latter.  The unauthorised access to customer’s data occurred in the late February early March period.  Around 3 months ago.  There will be questions about the delay in notifying its clients of this breach.  In the USA there is no mandatory Federal data breach notification laws, although most states have such laws in place.  In Australia there is no mandatory data breach notification laws although there should be.  In the last sitting week of the last Parliament such a Bill came very close to being read a second time in the Senate and passed however the bill lapsed when Parliament was prorogued.

In the context of Australian Privacy Law a significant hacking attack does not, of itself, result in a breach of the Australian Privacy Principles.  That is clear from the guidelines.  That said if Read the rest of this entry »

Fitbits, pedometers and other fitness tracking devices in wearable wristbands, phone apps and other devices are becoming a regular feature of the keen, the fit and a few of the tragics.  What they all do is collect, analyse and dessiminate data.  The level of sophistication has improved markedly over time as has the audience for that data.  The more sensitive data going to third parties the more the potential for serious privacy intrusions.  The Washington Post in Privacy advocates warn of ‘nightmare’ scenario as tech giants consider fitness tracking raises the issue of fitness apps and the data they generate raising severe privacy problems.

Data about heart rate, weight and whatever details are keyed in by the user is personal information if it can be tied to an identified person.  It is probably sensitive information for the purpose of the Privacy Act.  Third parties having access to that data is a very serious issue.

The article provides:

Fitness tracking apps and devices have gone from an early adopter novelty to a staple of many users’ exercise routines during the past few years  — helping users set goals and measure progress over time. Some employers even offer incentives, including insurance discounts, when workers sign up.

“There’s been a tremendous amount of evolution in the app space, both generally and in the fitness app,” since she joined the Federal Trade Commission six years ago, Senior Staff Attorney Cora Han acknowledges. “It’s a completely different landscape.”

But as several major tech companies appear poised to disrupt that landscape, privacy advocates warn Read the rest of this entry »

Lifelock’s homepage says it all –Protecting Your Identity in an Always-Connected World Comprehensive identity theft protection from LifeLock helps safeguard your finances, credit and good name. In today’s always-connected world, that’s more important than ever.  The core of its business is data security.

In a post of 16 May Lifelock’s CEO explained that Lifelock’s mobile app is not secure.  Technically, it is not compliant with the payment card industry security standards.  The potential for a data breach was too great a threat to tolerate.  Accordingly the apps have been withdrawn and data deleted.

It is a salient example of why businesses must take as much care with developing their mobile apps as they do any other aspect of their data security architecture.  If anything the care should be greater given the additional potential threats in losing data, such as interception across unsecured wi fis.

In the Australian context a business, particularly a large operation whose core activity is data storage and protection, failing to be compliant with minimum industry standards relating to security would run the risk of breaching APP 11 at minimum.

The post provides

One thing I’ve learned in business and, for that matter, life is the importance of authenticity and transparency.

With that in mind, I want to make you aware of an issue that we identified related to our recently acquired LifeLock Wallet application. We have determined that certain aspects of the mobile app may not be fully compliant with payment card industry (PCI) security standards. 

For that reason, we are removing the LifeLock Wallet application from the App Store, Amazon Apps, and Google Play, and when users open the LifeLock Wallet, their information will be deleted Read the rest of this entry »

Privacy Regulators have undertaken a review of mobile apps.  And not before time. While mobile apps are becoming a necessary part of marketing a business, accessing services and a means of collecting data for business it is also an easy highway into personal data by those whose motives are less than pure.  App developers are often the weak link in data security.

The French Data Protection Authority reviewed 100 mobile apps during an internet sweep.  This was part of a global enforcement sweep which was announced on May 6 (found here)  which provides:

OTTAWA, May 6, 2014 — The exploding popularity of mobile applications is raising a number of privacy concerns, prompting the  Global Privacy Enforcement Network (GPEN) to focus its 2014 international Privacy Sweep on mobile apps.

The Sweep from May 12 to 18, 2014, involving 27 privacy enforcement authorities from around the world, is aimed at shedding light on the collection and use of personal information on mobile apps.

“The number of mobile applications offered to consumers is growing at an astonishing rate and many of them collect a great deal of personal information,” says Chantal Bernier, Interim Privacy Commissioner of Canada. 

“It is important that consumers have Read the rest of this entry »

The Age reports, in Australians targeted in hacker raids, on a crack down against computer hackers using Blackshades program for illegitimate purposes.

The article provides:

Australian authorities have joined a co-ordinated global crackdown on computer hackers who use software known as Blackshades for sinister purposes.

Hackers in Australia, Canada, Asia and Europe have flooded chatrooms, online forums and websites in recent days complaining about their homes being raided and Read the rest of this entry »

Portals of whatever description, government or business are key entreport to data storage systems.  Weak data security, program flaws or just obsolete structures may result in a site being hacked and personal information compromised.  Verizon in its 2014 data breach investigations report found there were 63,000 confirmed security incidents and over 4,000 breaches world wide.  A breach after known security flaws raises the prospect of a breach of APP 11 of the Privacy Act.

The Sydney Morning Herald reports in Revealed: serious flaws in myGov site exposed millions of Australians’ private information that the much vaunted MyGov website has a serious security weakness.  The potential danger of interference with sensitive personal information is clear.  APP 11 makes it clear that Read the rest of this entry »

Last night’s budget held an unwelcome development for the Information Commissioner’s office.  As in there will be no Information Commissioner come 1 January 2015.  The Privacy Commissioner, a statutory office, will move to the Human Rights Commission and work out of Sydney.

The OAIC were well and truly quick off the mark in the legacy exercise with a statement (found here) which provides:

We acknowledge the Australian Government’s Budget decision on Tuesday 13 May 2014 to disband the Office of the Australian Information Commissioner (OAIC) by 1 January 2015.

Mobile apps are notorious for being gateways into an organisation’s records.  The quality of data security is generally poor.  Sometimes worse than that.  Privacy regulators have been alive to this for some time.  Security experts for a lot longer.  But the relentless desire to be relevant on line and high expectations of consumers to access services, products or information has meant that mobile apps are becoming ubiquitous. The problem is the security architecture rarely takes first, second or third priority in the design and project expenditure.

There is another issue with mobiles, their apps and privacy in terms of information police can access without a warrant.  This issue is considered by the Economist in There’s no app for that which provides:

SUPREME Court oral arguments, some scholars say, are all show. The justices don their robes, stroke their chins and lob their questions at silver-tongued lawyers for an hour, and then vote just the way they would have voted anyway. According to Jeffrey Segal and Harold Spaeth, political scientists who study the Court, judicial “attitudes”, not the subtleties of legal principles, matter most in the justices’ decisions. Oral argument does not “regularly, or even infrequently, [determine] who wins and who loses.”

If the justices Read the rest of this entry »

During Privacy Week the Privacy Commissioner gave, or least published on the oaic website, 3 speeches: Mapping data breach notification, Privacy matters and Defining the sensor society.

They relevantly provide:

Defining the sensor society

It’s a pleasure to be here to speak to you today for Privacy Awareness Week, especially with so much going on in the privacy sphere lately.

Defining the sensor society is an ambitious and important topic for a two day conference. As Australia’s Privacy Commissioner, you will not be surprised to learn that, in my view, any discussion of this topic should have privacy and the protection of personal information at its core. And so I am encouraged to see that is the case in a number of the presentations that you will hear over the next two days.

Privacy is rarely out of the news these days. The media continues to report on exciting new technologies as well as on activities that raise privacy questions and Read the rest of this entry »